The Google Chrome web store has been in the spotlight recently for security risks that some of the tools are causing. Most recently, Google had to remove two Chrome extensions that could sneakily inject ads or malware on websites that would then infect unsuspecting users. There were more than 100,000 users who may have been infected before Google removed the two extensions.

At Barracuda Labs, we have monitored Chrome extension spam since Oct 2012, when we found several spamming extensions using Rovio’s famous puzzle games as the hook to quickly attract 82,000 users in a few days. In the last few weeks, we’ve detected some new interesting findings about another big spam campaign back in the Chrome web store.

In Summary, we found that 12 Chrome extensions injecting advertisements on 44 popular websites have been installed on more than 180,000 Chrome users, see Table 1.

Table 1: The List of Ads-injecting Chrome Extensions Still Live Till Jan-30-2014

Similarly to last time, all of these extensions are requiring the permission “Your data on all websites” so that the ads can be injected to any websites the users browse.

Meanwhile, all of these extensions are registered under the same developer organization: www.konplayer.com.

Figure 1: one of the ads-injecting extensions from www.konplayer.com with 81,158 users

Different from our last findings, the extension codebase does not directly contain malicious Javascript code itself. Instead, it just uses a reference URL in the code, and hosts the Javascript on another domain: www.chromeadserver.com— which would trick unsuspecting users into thinking that Google owns the domain, but it does not.

Figure 2: Javascript code of the ads-injecting Chrome extension

After downloading this javascript code from the above URL, it is noticeable that the code started with the jQuery code (a javascript library useful for website design)– seems very benigal. But in the later part, obfuscated javascript began—very suspicious.

After decoding these hexadecimal ASCII chars and put the whole story together, we found the following code and spent some time to understand it – looks familiar.

Figure 4: Obfuscated javascript code adschrome.js

A careful reading on this decoded program shows that it is the source of injecting ads banners on various positions of 44 popular websites. The list of these 44 websites follows:

Table 2: The List of Websites that will be injected with Ads by the Above Chrome Extensions

Website

Website

chrome.angrybirds.com

www.myhappygames.com

heikki.angrybirds.com

www.chromegamez.com

poppit.pogo.com

www.gamesvarious.com

chrome.monsterdashgame.com

msn.com

www.officewebgames.com

yahoo.com

game2player.com

youtube.com

www.flashgames101.com

www.negane.com

games4chrome.com

imdb.com

www.tarmogames.com

myspace.com

www.gamesgator.com

chrome.plantsvszombies.com

www.douchegames.com

bejeweled.popcap.com

higamecenter.com

evolvedonlinegames.com

chromegamebox.com

www.webstoregames.com

kizi.com

www.wardoom.com

home.sweetim.com

www.sasquatchsurvivor.com

www.juegos.com

www.realmofthemadgod.com

www.miniclip.com

gameboysite.com

naclgames.com

www.pinkemu.com

armorgames.com

www.silverstoregames.com

chrometopgames.com

disney.go.com

chrome.kingstonking.com

2048gamers.com

captainwebstore.com

entanglement.gopherwoodstudios.com

Meanwhile, we notice that this code was also used in the ads-injecting Chrome extensions disclosed in our last report. They are probably the same group of hackers, except changing its name from www.playook.info to www.konplayer.com.

Google can surely remove these spam extensions from web store for now to protect any future victims, but what if they change their names again, or relocate and tweak the spam codes? Before Google provides a sustainable solution, Chrome users have to learn to protect themselves. As we always advised, Chrome users should be very careful if you intend to install Chrome extensions — even if it is from the Google Chrome web store. Use some common sense to judge whether you need to grant permissions to any extensions. If any of the permissions seem beyond the fence of what it should do, do not install it.

Once again, Google failed to protect Chrome users by allowing these spam extensions on its shelves, certainly something that users should consider when determining which products to use.